hi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number seven in the authentication module titled username enumeration via account law all right let's get started this lab is vulnerable to username enumeration it uses account logging but this contains a logic flaw to solve the love enumerate a valid username Brute Force this user's password then access their account page and you've got candidate usernames and candidate passwords okay so the target goal of the lab is to exploit the logic flaw to enumerate the list of valid usernames first and then enumerate the passwords for the list of valid usernames all right let's access the lab now notice over here this is the built-in browser in burp and so all my requests are already being passed in my proxy I am using the professional version of burp because we do need to use Intruder to animate a portion of this attack and Intruder is heavily throttled in the community Edition okay let's click on my account and what we're gonna do is let's say the first username is Carlos and the second and the password let's say is test hit log in so this is probably an invalid username and password let's send this to repeater hit send click on render you've got invalid username and password render again so that's number two number three number four number five number six number seven and we don't get any lockout mechanism so I'm wondering if that's because this is an invalid username that we don't get a lockout mechanism and if we do try to brute force a valid username we get that you tried too many attempts and so your account has been locked out so let's test that out let's send this to intruder an intruder let's clear and then under username let's highlight that and then for password let's remove the entire thing and just add this twice what that means is that we're trying to Brute Force usernames with empty passwords and then in payloads over here we're gonna go back over here and get the list of candidate usernames let's copy this paste it in here so that's for the list of usernames now for the password over here what we're going to do is we're going to click on payloads and we need Pitchfork for this case and for the second one right over here we're going to click on null payloads and we're gonna say generate five payloads over here so essentially what this will do is it'll try every username and the list five times to see if we get an account log out and the idea over here is we're trying to see if one of these usernames is valid are we actually going to get an account logout or are we not going to get locked out just like for any invalid username so let's click on start attack and we're getting status codes of 400 so I'm definitely doing something wrong and actually I know what I'm doing wrong so I selected the wrong type so instead of Pitchfork what we're looking at is cluster bomb so the definition of cluster bomb is this attack uses multiple payload sets there is a different payload set for each defined position so because we need five null values of each username we actually have to use cluster bomb instead of pitchfork so let's go to payloads over here this is still correct and for one we still have our usernames so this looks good and we go to Resource pool we do not need a custom resource pool 10 is fine so let's start attack and it's trying it's going to perform 505 requests so we'll wait for all of that to work and then we'll see if one of our requests is giving us is giving us a different status code for a different link okay so I'm getting 400 status codes for all of them so that's not a good sign over here it's telling me it's missing the parameter and I thought I had resolved that issue so let's close this discard it go back over here payloads positions okay so I know what the issue is over here it can't actually be no you have to have something in there and then this will allow us to do it for five times so an all value that will be concatenated with this value over here so I believe this should work and we're getting 200 okay so this is good let's wait for it to perform all 505 requests and then we'll see if it outputs a different length or a different status code that could potentially help us out when it comes to the username enumeration okay so the status code is unlikely to change let's look at the length over here so you could see acid has different length than the rest of them so let's look at the response and render and here we go it says you've made too many incorrect login attempts so if you try an incorrect username or an invalid username you won't get locked out but if you try a valid username you will get locked out and so the valid username over here is acid so now all we have to do is um Brute Force the password so let's close this over here this card let's clear this over here and then the username is acid the password over here is what we need to test and in this case it's not cluster bomb it's just sniper let's go back to the lab and click on candidate passwords copy it over here go to payloads clear and paste our list of passwords and click on start attack now of course if there is a lockout mechanism over here we can Brute Force the password but I'm hoping there's no lockout mechanism and we do get a change in status code that could potentially allow us to figure out what the password is and it does not look like it so let's see over here the response and render it and it's telling me you've made too many incorrect login attempts hmm so the request over here you've got acid and the response over here and now notice some of the responses have different lengths so we've got one two four is different from majority of the rest so we've got over here invalid username of password over here we've got invalid username or password and then over here invalid username or password and then over here it says you've made too many incorrect attempts let's do a sort on length and over here again if you've got a different length so this is really weird something is really wrong in the back end um over here we don't even get an error at all so this is really weird this tells me I should try this password and see what happens so let's go back to our application try the username that we found so acid and then the password Superman and hit login and see if we could log in and here we go it allowed us to log in so my guess over here is when an account is locked out and you actually try a correct password what happens the logic error in the back end doesn't output an error message saying that it's an invalid username or password like it does over here it just redirects you to the login page because you're locked out however this way you have the ability to Brute Force the password and all you have to do is just wait for the one minute soft lockout to complete and then try the password which is what we did over here so that's a really interesting logic vulnerability in the authentication mechanism of the application anyway so we've successfully completed the exercise by exploiting the vulnerability using verb Intruder now we usually script in Python however as you can see there is a huge human element component to the slab that requires analysis and so we can't script this in python in the next Lab we'll look at another case of a broken authentication vulnerability if you like the video hit the Subscribe and share button so that the video reaches a wider audience also make sure to check out my course if you're interested in seeing more videos like this one thank you and see you in the next video